magpie-strategy

Fail

Audited by Snyk on Jun 28, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). These are third‑party project URLs (a GitHub repo + raw.githubusercontent links and a project API domain) that instruct users to curl/npx and execute downloaded scripts with auth tokens—not binary downloads but an untrusted download-and-run workflow that can execute arbitrary code, access credentials, or perform unwanted actions, so it is suspicious.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly a trading/funds-management agent: it defines trading “books”, wallet environment variables (MAGPIE_PRE_LISTING_WALLET, MAGPIE_GRADUATION_WALLET), cross-margined wallet handling, margin limits, order execution details ("FEE_OPTIMIZED_LIMIT entries + exits, taker-true"), position sizing and leverage, and persistent state for flips/conversions. It also names and forbids direct execution tools for user sessions (create_position, close_position, edit_position, cancel_order, strategy_close, etc.), which implies those tools exist and are used by the producer/engine. These are direct market-order and position-management capabilities (i.e., moving money/placing/canceling trades), not generic helpers — therefore this grants Direct Financial Execution Authority.

Issues (2)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 28, 2026, 08:48 PM
Issues
2
Security Audit — snyk — magpie-strategy